Solved: Re: 3rd party Network Device Profiles

zivanovichn · ‎10-02-2017

I have a wide array of devices in my environment and was wondering if there are any Network Device Profiles for Fortinet and Palo Alto devices?

Craig Hyps · ‎10-03-2017

For TACACS+, there is no special config needed for the NAD Profile. If simply wish to have option to select a certain vendor, then suggest simply add new profile (give it a name, set vendor to "Other", enable TACACS+, and optionally set icon and description to specific vendor).

/Craig

View solution in original post

Jason Kunst · ‎10-02-2017

Network device profiles are used for wired, wireless and VPN use cases.

https://communities.cisco.com/docs/DOC-64547

The vendors you mention aren’t used for user connectivity to the network.

Fortinet I believe is used as a firewall for perhaps internet connectivity and all that can be done is perhaps log guest traffic? There are community posts on that

Palo Alto is another firewall but I don’t currently see any integration from them. This is also not a valid case. For example Checkpoint is able to use Trustsec SGT (Scalable Group Tags) to match policies shared via PXgrid.

Would be best to research what each device is used for and the possible integration behind that. And if you have further questions please reach out

zivanovichn · ‎10-02-2017

Thanks Jason, I am mainly interested in the Fortinet's because we are implementing an SD-WAN solution and the Fortinets will be passing some of that traffic.

I also would like to have the profiles so that I would be able to properly classify the devices within ISE, we do our TACACS authentication and authorization through ISE and cant label those devices correctly right now.

Thanks,

Niko Zivanovich

Jason Kunst · ‎10-02-2017

There are no network device profiles because Fortinet doesn’t do wired/wireless or VPN connectivity for the end users. You don’t add Fortinet devices to ISE.

If you are talking about profiling the network access devices just to see what is out there then make sure after ISE is up and running.

I still don’t see the use case and how it integrates with ISE.

For TACACs its fairly straightforward. You add the Network access device that needs to process device admin. There are no profiles to handle this. It should work as long as they follow the standards.

If there are still problems you can work with the TAC as well for troubleshooting

zivanovichn · ‎10-02-2017

Easier shown in the picture below, I will be adding the Fortinet Firewalls, switches, and controllers into ISE for the TACACS authentication. Currently I am only able to classify those devices as: Cisco, HP, Aruba, Brocade, and Ruckus; was hoping to add other Vendor device profiles so that I could classify my network devices correctly.

Jason Kunst · ‎10-02-2017

Please follow the process here and work with the TAC

https://communities.cisco.com/docs/DOC-64547

Then please share

Craig Hyps · ‎10-03-2017

For TACACS+, there is no special config needed for the NAD Profile. If simply wish to have option to select a certain vendor, then suggest simply add new profile (give it a name, set vendor to "Other", enable TACACS+, and optionally set icon and description to specific vendor).

/Craig

sampathss · ‎01-22-2020

Hi Jason,

Do we have a Network Device Profile for Broadcom switches? If so, is there any documentation on the same that can be used to create the profile?

Thanks

Sampath

Jason Kunst · ‎01-29-2020

@sampathss wrote:

Hi Jason,

Do we have a Network Device Profile for Broadcom switches? If so, is there any documentation on the same that can be used to create the profile?

Thanks

Sampath

unfortunately we don't have everything out there. I'd work with Broadcom to see what they need as well and please share if not already here

https://community.cisco.com/t5/security-documents/ise-third-party-nad-profiles-and-configs/ta-p/3648719

https://community.cisco.com/t5/security-documents/how-to-create-ise-network-access-device-profiles/ta-p/3631103